Add missing workflows

.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: Continuous Integration
+name: CI
 
 on:
  push:
@@ -7,6 +7,8 @@ on:
  tags:
  - "v[0-9]+.[0-9]+.[0-9]+*"
  pull_request:
+ branches:
+ - "**"
 
 defaults:
  run:
@@ -73,16 +75,16 @@ jobs:
  name: Functional Tests
  runs-on: ubuntu-22.04
  steps:
- - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+  - name: Checkout Repository
+  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
- - name: Setup Golang Environment
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
- with:
- go-version: stable
+  - name: Setup Golang Environment
+  uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+  with:
+  go-version: stable
 
- - name: Run Functional Tests
- run: make functional-test
+  - name: Run Functional Tests
+  run: make functional-test
 
  release-notes:
  name: Release Notes

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,72 @@
+name: CodeQL
+
+on:
+ push:
+ branches:
+ - main
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches:
+ - main
+ schedule:
+ - cron: "30 15 * * 0" # run every Sunday at 15:30 UTC
+
+concurrency:
+ group: ${{ github.ref_name }}-codeql
+ cancel-in-progress: true
+
+permissions:
+ contents: read
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-22.04
+ permissions:
+ actions: read # for github/codeql-action/init to get workflow details
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/autobuild to send a status report
+ packages: read # required to fetch internal or private CodeQL packs
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - language: go
+ build-mode: autobuild
+ # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+ # Use `c-cpp` to analyze code written in C, C++ or both
+ # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+ # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+ # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+ # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+ # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+ # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+ - name: Setup Golang Environment
+ uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+ with:
+ go-version: stable
+ if: matrix.language == 'go'
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+ with:
+ languages: ${{ matrix.language }}
+ build-mode: ${{ matrix.build-mode }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+ with:
+ category: "/language:${{matrix.language}}"

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,23 @@
+name: Dependabot auto-merge
+on: pull_request_target
+
+permissions:
+ contents: read
+
+jobs:
+ dependabot:
+ runs-on: ubuntu-22.04
+ if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+ permissions:
+ pull-requests: write
+ contents: write
+ steps:
+ - name: Dependabot metadata
+ id: dependabot-metadata
+ uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0
+
+ - name: Enable auto-merge for Dependabot PRs
+ run: gh pr merge --auto --squash "$PR_URL"
+ env:
+ PR_URL: ${{github.event.pull_request.html_url}}
+ GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}

.github/workflows/fossa.yml

@@ -0,0 +1,30 @@
+name: Fossa
+
+on:
+ push:
+ branches:
+ - main
+ paths-ignore:
+ - "**.md"
+ - "LICENSE"
+
+concurrency:
+ group: ${{ github.ref_name }}-fossa
+ cancel-in-progress: true
+
+permissions:
+ contents: read
+
+jobs:
+ scan:
+ name: Fossa
+ runs-on: ubuntu-22.04
+ if: ${{ github.event.repository.fork == false }}
+ steps:
+ - name: Checkout Repository
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+ - name: Scan
+ uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3
+ with:
+ api-key: ${{ secrets.FOSSA_TOKEN }}

.github/workflows/scorecards.yml

@@ -0,0 +1,61 @@
+name: OpenSSF Scorecards
+on:
+ branch_protection_rule: # yamllint disable-line rule:empty-values
+ schedule:
+ - cron: "31 0 * * 5" # Run every Friday at 00:31 UTC
+ push:
+ branches:
+ - main
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+ analysis:
+ name: Scorecard analysis
+ runs-on: ubuntu-22.04
+ permissions:
+ # Needed to upload the results to code-scanning dashboard.
+ security-events: write
+ # Needed to publish results and get a badge (see publish_results below).
+ id-token: write
+ # Uncomment the permissions below if installing in a private repository.
+ # contents: read
+ # actions: read
+
+ steps:
+ - name: "Checkout code"
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+ with:
+ persist-credentials: false
+
+ - name: "Run analysis"
+ uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+ with:
+ results_file: results.sarif
+ results_format: sarif
+ repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+ # Public repositories:
+ # - Publish results to OpenSSF REST API for easy access by consumers
+ # - Allows the repository to include the Scorecard badge.
+ # - See https://github.com/ossf/scorecard-action#publishing-results.
+ # For private repositories:
+ # - `publish_results` will always be set to `false`, regardless
+ # of the value entered here.
+ publish_results: true
+
+ # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+ # format to the repository Actions tab.
+ - name: "Upload artifact"
+ uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+ with:
+ name: SARIF file
+ path: results.sarif
+ retention-days: 5
+
+ # Upload the results to GitHub's code scanning dashboard.
+ - name: "Upload to code-scanning"
+ uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+ with:
+ sarif_file: results.sarif

.pre-commit-config.yaml

@@ -27,41 +27,27 @@ repos:
  hooks:
  - id: gitleaks
 
- - repo: local
- hooks:
- - id: golang-diff
- name: create-go-diff
- entry: bash -c 'git diff -p origin/main > /tmp/diff.patch'
- language: system
- types: [go]
- pass_filenames: false
-
  - repo: https://github.com/golangci/golangci-lint
  rev: v1.59.1
  hooks:
- - id: golangci-lint
+ - id: golangci-lint-full
  name: golangci-lint-root
  alias: golangci-lint-root
- args: [--new-from-patch=/tmp/diff.patch]
 
- - id: golangci-lint
+ - id: golangci-lint-full
  name: golangci-lint-tests
  alias: golangci-lint-tests
  entry: bash -c 'cd tests && golangci-lint run --fix --config $OLDPWD/.golangci.yml'
 
- # Rules are in .markdownlint-cli2.yaml file
- # See https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md for rule descriptions
  - repo: https://github.com/DavidAnson/markdownlint-cli2
  rev: v0.13.0
  hooks:
  - id: markdownlint-cli2
 
- # Rules are in .yamllint.yaml file
- # See https://yamllint.readthedocs.io/en/stable/rules.html# for rule descriptions
  - repo: https://github.com/adrienverge/yamllint.git
  rev: v1.35.1
  hooks:
  - id: yamllint
 
 ci:
- skip: [golang-diff, golangci-lint, markdownlint-cli2, yamllint]
+ skip: [golangci-lint-full]

.yamllint.yaml

@@ -3,43 +3,20 @@ yaml-files:
  - "*.yaml"
  - "*.yml"
 
-ignore:
- - .github/workflows/
+ignore-from-file: .gitignore
+
+extends: default
 
 rules:
- braces: enable
- brackets: enable
- colons: enable
- commas: enable
  comments:
- require-starting-space: true
- ignore-shebangs: true
  min-spaces-from-content: 1
  comments-indentation: enable
- document-end: disable
  document-start: disable
- empty-lines: enable
  empty-values: enable
- float-values: disable
- hyphens: enable
- indentation:
- spaces: consistent
- indent-sequences: consistent
- check-multi-line-strings: true
- key-duplicates: enable
- key-ordering: disable
  line-length:
  max: 120
- allow-non-breakable-words: true
- allow-non-breakable-inline-mappings: true
  ignore: |
- .github/workflows/
  .goreleaser.yml
- new-line-at-end-of-file: enable
- new-lines: enable
- octal-values: disable
- quoted-strings: disable
- trailing-spaces: enable
+ .github/
  truthy:
- ignore: |
- .github/workflows/
+ check-keys: false